Monitoring and Troubleshooting Network Protocol Security


Objective:

Monitor network protocol security. Tools might include the IP Security Monitor Microsoft Management Console (MMC) snap-in and Kerberos support tools.

Troubleshoot network protocol security. Tools might include the IP Security Monitor MMC snap-in, Event Viewer, and Network Monitor.

With the discussion of creating and implementing IPSec policies behind us, although at a rather simple level, it's now time to move on and examine the monitoring and troubleshooting of IPSec on your network. Although the actual configuring and implementing of IPSec is beyond the scope of Exam 70-291, for the exam you are expected to be able to perform basic monitoring and troubleshooting. In addition, Kerberos is the default user authentication protocol in Windows Server 2003, and you will from time to time need to monitor and troubleshoot Kerberos as well.

Exam Alert: Know Your IPSec!

For this exam, even though the objectives don't really lend themselves to it, you must have a solid understanding of IPSec, the three default IPSec policies, and basic IPSec policy components. Be sure you understand the background of IPSec before you take the exam.


Monitoring IPSec

Going back to the customized IPSec management console that you created earlier in Step by Step 8.1, let's spend some time now with the IP Security Monitor snap-in. The IP Security Monitor snap-in is divided into three major areas: the Active Policy node, the Main Mode node, and the Quick Mode node. The Active Policy node is shown in Figure 8.52. Table 8.1 explains each of the information items shown in the Active Policy node of the IP Security Monitor snap-in.

Figure 8.52. The Active Policy node statistics get you up to speed quickly on the currently assigned IPSec policy.


Table 8.1. Active Policy Node Items

Item

Description

Policy Name

Specifies the name of the active IPSec policy.

Description

Describes the active IPSec policy.

Policy Last Modified

Provides the date and the time that the active IPSec policy was modified.

Policy Store

Provides the storage location for the active IPSec policy. For a local policy, it reads Local Store, and for a domain policy, it reads Domain Store.

Policy Path

Applies only to domain policies and provides the LDAP path to the active IPSec policy.

Organizational Unit

Applies only to domain policies and lists the organizational unit to which the group policy object (GPO) is applied.

Group Policy Object Name

Applies only to domain policies and lists the GPO to which the active IPSec policy is applied.


Exam Alert: Know the IPSec Monitoring Areas

For this exam, make sure that you have a good understanding of what types of information you can find in each of the nodes of the IP Security Monitor.


The Statistics folder in the Main Mode node, which is shown in Figure 8.53, provides information about the Phase I security associations (SAs), as detailed in Table 8.2. The remaining Main Mode folders all provide specific information about the IPSec policy currently in effect, and thus will be empty when no policy is in effect. The Main Mode SA, also known as the ISAKMP SA, is used to protect the IPSec security negotiations.

Figure 8.53. The Main Mode node Statistics folder displays information about the Phase I SAs.


Table 8.2. Main Mode (Internet Key Exchange) Statistics

Statistic

Description

Active Acquire

Specifies a request by the IPSec policy to have IKE perform a task. This number includes all outstanding and queued requests and is typically 1. Under heavy loading, this number increases.

Active Receive

Displays the number of IKE messages that have been received and are queued for processing.

Acquire Failures

Displays the number of times that an acquire has failed.

Receive Failures

Displays the number of times that errors have occurred in receiving IKE messages.

Send Failures

Displays the number of times that errors have occurred in sending IKE messages.

Acquire Heap Size

Displays the number of entries in the acquire heap, which stores active acquires. This number increases with heavy loading and decreases as the heap is cleared.

Receive Heap Size

Displays the number of entries in the IKE receive buffers for incoming IKE messages.

Authentication Failures

Displays the total number of identity authentication failures that have occurred during Main mode negotiation. This is a useful indicator to determine whether the authentication methods do not match between two computers attempting communications.

Negotiation Failures

Displays the total number of negotiation failures that occurred during Main Mode or Quick Mode negotiation. This is a useful statistic to determine whether security and/or authentication methods do not match between two computers attempting communications.

Invalid Cookies Received

Specifies a value contained in a received IKE message that is used by IKE to find the state of an active Main mode. If a cookie in a received IKE message cannot be matched with an active Main mode, then it is invalid.

Total Acquire

Displays the total number of requests submitted by IKE to the IPSec driver to establish an SA for securing traffic.

Total Get SPI

Displays the total number of requests submitted by IKE to the IPSec driver to obtain a unique Security Parameters Index (SPI).

Key Additions

Displays the number of outbound Quick mode SAs added by IKE to the IPSec driver.

Key Updates

Displays the number of inbound Quick mode SAs added by IKE to the IPSec driver.

Get SPI Failures

Displays the number of requests submitted by IKE to the IPSec driver to obtain a unique SPI that have failed.

Key Addition Failures

Displays the number of outbound Quick mode SA addition requests submitted by IKE to the IPSec driver that have failed.

Key Update Failures

Displays the number of inbound Quick mode SA addition requests submitted by IKE to the IPSec driver that have failed.

ISADB List Size

Displays the number of Main mode state entries, including negotiated Main modes, Main modes in progress, and Main modes that have failed and have not yet been deleted.

Connection List Size

Displays the number of Quick mode state entries. This number indicates the load placed on the computer.

IKE Main Mode

Displays the total number of successful SAs created during Main mode negotiations.

IKE Quick Mode

Displays the total number of successful SAs created during Quick mode negotiations. There are typically multiple Quick mode SAs created for each Main mode SA; thus, this value may not necessarily match that of the Main mode.

Soft Associations

Displays the total number of negotiations that resulted in the use of unsecured traffic (also known as soft SAs). Typically this is an indication of SAs formed with computers that do not support IPSec or were not able to negotiate successful IPSec connections. This can be an indication of mismatched security and authentication settings.

Invalid Packets Received

Displays the number of received IKE messages that were invalid. Most commonly, invalid IKE messages are a result of retransmitted IKE messages or unmatched shared keys between the communicating computers.


The Statistics folder in the Quick Mode node, which is shown in Figure 8.54, provides information about the Phase II SAs, as detailed in Table 8.3. The remaining Quick Mode folders all provide specific information about the IPSec policy currently in effect, and thus will be empty when no policy is in effect. The Quick Mode SAs, also known as the IPSec SAs, are those security associations that have been created to protect the data sent between computers communicating securely using IPSec.

Figure 8.54. The Quick Mode node Statistics folder displays information about the Phase II SAs.


Table 8.3. Quick Mode (IPSec) Statistics

Statistic

Description

Active Security Associations

Displays the number of active IPSec SAs.

Offloaded Security Associations

Displays the number of active IPSec SAs that have been offloaded to hardware.

Pending Key Operations

Displays the number of IPSec key operations that are in progress.

Key Additions

Displays the total number of successful IPSec SA negotiations.

Key Deletions

Displays the number of key deletions for IPSec SAs.

Re-Keys

Displays the number of rekey operations for IPSec SAs.

Active Tunnels

Displays the number of active IPSec tunnels.

Bad SPI Packets

Displays the total number of packets for which the SPI was incorrect. SPIs are used to match inbound packets with SAs. If the SPI is incorrect, the inbound SA may have expired. If rekeying intervals are set very short, this number is likely to increase very rapidly. Under normal conditions, a bad SPI packet does not mean that IPSec is failing because SAs expire normally.

Packets Not Decrypted

Displays the total number of packets that were not decrypted successfully. This may indicate that a packet has arrived for which the SA has previously expired. When the SA expires, the session key used to decrypt packets is removed. By itself, this does not indicate that IPSec is failing.

Packets Not Authenticated

Displays the total number of packets for which data could not be verified, meaning that the integrity hash verification failed. Most commonly this is a result of an expired SA.

Packets with Replay Detection

Displays the total number of packets that contained a valid Sequence Number field.

Confidential Bytes Sent

Displays the total number of bytes sent using the ESP.

Confidential Bytes Received

Displays the total number of bytes received using the ESP.

Authenticated Bytes Sent

Displays the total number of bytes sent using the AH protocol.

Authenticated Bytes Received

Displays the total number of bytes received using the AH protocol.

Transport Bytes Sent

Displays the total number of bytes sent using IPSec transport mode.

Transport Bytes Received

Displays the total number of bytes received using IPSec transport mode.

Bytes Sent in Tunnels

Displays the total number of bytes sent using IPSec tunnel mode.

Bytes Received in Tunnels

Displays the total number of bytes received using IPSec tunnel mode.

Offloaded Bytes Sent

Displays the total number of bytes sent using hardware offload.

Offloaded Bytes Received

Displays the total number of bytes received using hardware offload.


Configuring the IP Security Monitor hasn't changed much since Windows 2000, except that the IP Security Monitor is now an MMC snap-in. You can open the IP Security Monitor properties for any server listed in the IP Security Monitor node by right-clicking it and selecting Properties from the context menu. The server Properties page opens, as shown in Figure 8.55. You have the option to change the refresh interval for the display of the IP Security Monitor statistics and to decide whether you want to enable DNS name resolution, which comes into play when you're examining the SAs that are formed.

Figure 8.55. There's not much to configure for the IP Security Monitor's properties.


Troubleshooting IPSec

If you have problems with IPSec, you should first verify that any routers or firewalls that traffic may be passing through are configured to support IPSec traffic. You need to allow the following traffic:

  • Protocol ID 50 and 51 or ESP and AH traffic

  • UDP port 500 for IPSec negotiation traffic

Some other basic problems and troubleshooting tips for them are outlined here:

  • You are not able to establish any communications with a computer In this case, you should first verify that basic network connectivity exists between the computers in question by using the ping command. You should also ensure that all required network services, such as DHCP and DNS, are operating properly for both computers.

  • You are not able to establish any communications with a computer This may be a result of a computer having been removed from the domain. Whatever the cause, it causes IPSec communications to fail.

  • Communications are occurring, but not as expected You need to ensure that you have the correct (and compatible) IPSec policies assigned on both computers.

  • No hard associations are being formed If there are currently soft associations in place, a hard association will not be formed. You need to completely stop all communications between the computers for approximately 5-10 minutes to allow the soft associations to time out. The easiest way to do this is to disable the network connection. After you have allowed the soft association to time out, you should check to see that a hard association has been formed. If a hard association still has not been formed, you need to examine the IPSec policy to verify that unsecured communications are not allowed.

  • IPSec communications are failing after you configure a digital certificate for authentication You must make sure that the required digital certificate is installed on the computers that attempt to communicate by using that IPSec policy. This can also be a result of specifying an incorrect Certificate Authority (CA).

  • Some computers can create IPSec connections and some cannot This is most likely caused by not having the same IPSec policy applied to all the computers. If you intentionally use different policies, you need to ensure that they share at least one common authentication and security method.

You should also be aware that IPSec-related problems can be found in the security log. You can view IKE events (negotiation success and failure) by enabling success and/or failure auditing for the Audit Logon Events audit policy for the domain or the local computer. The IKE event category is also used for the auditing of user logon events in other services as well, but you can disable this by editing the registry. For more information on configuring and implementing auditing, refer back to Chapter 5, "Implementing, Managing, and Maintaining Network Security."

When success and/or failure auditing for the Audit Logon Events audit policy is enabled, IPSec records the success and/or failure of each Main mode and Quick mode negotiation. The establishment and termination of each negotiation is logged as a separate event for easier analysis and troubleshooting. Be aware, however, that when you enable audit logon events, the security log will likely quickly fill up with IKE events unless you opt to disable auditing of those events through registry editing.

The Network Monitor included in Windows Server 2003 can also be used to view IPSec traffic between the computer it is installed on and other network computers. Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. The parsers for ESP can parse inside the ESP packet only if null encryption is being used and the full ESP packet is captured. Network Monitor cannot parse the encrypted portions of IPSec-secured ESP traffic when the encryption is being performed in Windows. However, if the encryption is being performed by an IPSec hardware offload network adapter, the ESP packets have already been decrypted when Network Monitor captures them, and as a result, they can be parsed and interpreted into the upper-layer protocols. If you need to diagnose ESP Windows-encrypted communication (that is, software-encrypted communication), you must first disable ESP encryption and use ESP null encryption by changing the IPSec policy on each computer.

Monitoring and Troubleshooting Kerberos

Kerberos seems to pop up all over the place in Windows Server 2003. Kerberos is the default network authentication method for Windows Server 2003 networks. It can also be used as an IPSec authentication method. Although Kerberos is often thought of as a "set it and forget it" service, you might from time to time need to monitor and troubleshoot it.

Although there are no default tools provided in Windows Server 2003 that allow you to monitor and manipulate Kerberos tickets, two Windows Server 2003 Resource Kit tools are available that you can use:

  • kerbtray.exe You can use the kerbtray.exe utility to view cached Kerberos tickets for the current computer from within the Windows GUI.

  • klist.exe The klist.exe utility is a command-line tool that is similar to kerbtray.exe. klist.exe allows you to view and delete cached Kerberos tickets.

You can download the Resource Kit tools from the Microsoft Web site at www.microsoft.com/downloads by searching for "Windows Server 2003 Resource Kit Tools."

The following sections examine the function and usage of these two tools.

kerbtray.exe

The kerbtray.exe tool is used to display the cached ticket information for a computer running the Microsoft implementation of the Kerberos version 5 protocol. After kerbtray.exe has been installed and executed, it sits (appropriately enough) in the tray area of the taskbar, as shown in Figure 8.56.

Figure 8.56. The kerbtray.exe icon waits in the tray area of the taskbar.


By moving the cursor over the kerbtray.exe icon, you can quickly see a display that lets you know how much time is left before the ticket-granting ticket (TGT) expires. In addition, this icon changes during the last hour before the local security authority (LSA) renews the ticket. When you double-click the kerbtray.exe icon, the Kerberos Tickets dialog box opens, as shown in Figure 8.57, allowing you to quickly determine the cached ticket status.

Figure 8.57. The Kerberos Tickets dialog box allows you to graphically view cached Kerberos tickets for the local computer.


The Kerberos Tickets dialog box consists of four informational areas:

  • Top section The top section provides the name of the Kerberos client principal that is associated with the Windows domain account.

  • Scrolling section The scrolling section lists the domains and tickets for all services that have been used since the user logon occurred. Selecting an item here causes its properties to display in the middle and bottom sections.

  • Middle section The middle section displays the service principalthe target principal for the selected ticket from the domain list.

  • Bottom section The bottom section provides a set of tabs (Names, Times, Flags, and Encryption Types) that provide attributes of the selected ticket in the scrolling section.

Table 8.4 details the information that you see on the tabs of the bottom section of the Kerberos Tickets dialog box.

Table 8.4. Options on the Kerberos Tickets Dialog Box Bottom Section Tabs

Option

Description

Names Tab

 

Client Name

This is the requester of the ticket, which in most cases is the client's principal name.

Service Name

This is the canonical name of the account principal for the service, which is the same as the samAccountName property in the directory.

Target Name

This is the service name for which the ticket was requested.

Times Tab

 

Start Time

This is the time that the ticket becomes valid.

End Time

This is the time that the ticket's validity ends.

Renew Until

This specifies the maximum lifetime of the ticket if it is renewable.

Flags Tab

 

Forwardable

When this option is set, it allows for authentication forwarding without requiring the user to enter a password again.

Forwarded

This flag is set by the ticket-granting service (TGS) when a client presents a ticket with the Forwardable flag set and requests that it be set by specifying the Forwarded (KDC) option and supplying a set of addresses for the new ticket.

Proxiable

When this option is set, it allows a client to pass a proxy to a server to perform a remote request on its behalf.

Proxy

This flag is set on a ticket by the TGS when the service issues a proxy ticket.

May Postdate

This flag can be set in a TGT to issue a postdated ticket based on the presented ticket.

Postdated

When this option is set, it indicates that a ticket has been postdated.

Invalid

When this option is set, it indicates that the ticket is not valid. For example, a post-dated ticket is typically issued in this form.

Initial

When this option is set, it indicates that the ticket was issued by using the authentication server AS protocol and not issued based on a TGT.

Renewable

When this option is set, it allows the ticket holder to maintain a valid ticket for long periods of time.

HW Authenticated

This flag is used to provide additional information about the initial authentication, regardless of whether the current ticket was issued directly.

Preauthenticated

This flag is used to provide additional information about the initial authentication, regardless of whether the current ticket was issued directly.

OK as Delegate

When this option is set, it indicates that the server specified in the ticket has been determined by policy to be a suitable recipient of delegation.

Encryption Types Tab

 

Ticket Encryption Type

This option specifies the encryption type that is used to encrypt the Kerberos ticket.

Key Encryption Type

This option specifies the encryption type that is used with the enclosed session key.


klist.exe

The klist.exe tool is run from the command line and provides similar functionality to that offered by kerbtray.exe. In addition, klist.exe allows you to purge cached tickets if desired. The basic syntax of the klist.exe command is this:

klist [tickets | tgt | purge]


The functions of the klist.exe options are detailed in Table 8.5.

Table 8.5. klist.exe Options

Option

Description

tickets

The tickets option lists information about the current cached tickets of services that you have authenticated to since logging on.

tgt

The tgt option lists information about the initial Kerberos TGT.

purge

The purge option allows you to delete a specific ticket.


The tickets and tgt switches are explained in more detail in Table 8.6.

Table 8.6. The klist.exe tickets and tgt, Switches

Switch

Description

The tickets Switch

 

Server

Lists the server and domain for the ticket.

KerbTicket Encryption Type

Lists the encryption type used to encrypt the Kerberos ticket.

End Time

Lists the time that the ticket becomes invalid.

Renew Time

Lists the maximum lifetime of the ticket, if it is renewable.

The tgt Switch

 

ServiceName

Displays the service name for the TGT, which is krbtgt.

TargetName

Displays the name of the service for which the ticket was requested.

FullServiceName

Displays the canonical name of the account principal for the service.

DomainName

Displays the domain name of the service.

TargetDomainName

Displays the realm (domain) in which the ticket is good if the ticket is a cross-realm ticket.

AltTargetDomainName

Displays the name supplied to the InitializeSecurityContext that generated the ticketwhich is typically a service principal name.

TicketFlags

Displays the ticket flags set on the current ticket in hexadecimal. The kerbtray.exe tool displays these flags on the Flags tab.

KeyExpirationTime

Displays the expiration time from the KDC reply.

Start time

Displays the time when the ticket becomes valid.

End Time

Displays the time when the ticket becomes invalid.

RenewUntil

Displays the maximum lifetime of the ticket, if the ticket is renewable.

TimeSkew

Displays the reported time difference between the client computer and the server computer for a ticket.


Caution: Purging Tickets

When you purge a ticket, you destroy all tickets that have been cached. You should do this with extreme caution. Purging tickets often prevents you from being able to successfully authenticate to network resources. If this occurs, you need to log off and log on again to obtain new ticketsand this can be disastrous if you have files open for editing across the network.


The klist.exe tool can be used to monitor and troubleshoot Kerberos from the command line. Figure 8.58 presents an example of what the klist tickets command might return.

Figure 8.58. The klist tickets command displays information about all cached Kerberos tickets for the computer.





MCSA(s)MCSE 70-291(c) Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
MCSA/MCSE 70-291: Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (Exam Prep)
ISBN: 0789736497
EAN: 2147483647
Year: 2006
Pages: 196
Authors: Will Schmied

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net